This is an interesting question. Might it not make more sense to find a
way to disable SCP at the server? Perhaps a n sshd_config option. It
would be a long term solution, not something to give this guy right now,
but it might be a useful hack for corporate types. On the other hand,
it occurs to me that if you can get access to the data through an SSH
Shell, or a telnet shell, blocking SCP or FTP puts is not really
providing any more security. Think about it. Most OS's these days
have a screencapture, if I really want sensitive data I could just
capture it from adisplay... It doesn't even seem that it would be
terrible difficult to streamlarge amounts of data (to much for capture)
into a file (some sort of displayredirect to a file). I've never tried,
but it seems fairly possible (atleast on *nix) . And leaving your
login/passwords in the clear on the wiresounds much more dangerous to me
than allowing FTP puts. A secure shellgateway in from the 'net does
sound like a good idea, we use something similarhere (only for Telnets
though, secure connections are allowed through) it would require a two
ply firewall though (one in front of the gatewayto disallow everything
but secure connections, one behind to prevent FTPputs to the gateway,
thus creating the whole problem over. ) Still, all in all I don't
thinnk there is a whole lot of security added by preventing SCP/FTP.
Michael Jinks wrote:
> "H. Wade Minter" wrote:
>
>> So my question is: Is there any way, on a firewall-type level, to block scp
>> traffic, while allowing ssh and slogin? This would allow them to stop file
>> copies, but let secure shells go through.
>
>
> At the firewall, I don't think so; my understanding is that scp is
> really just a wrapper around ssh, and that to a router, ssh and scp are
> going to look exactly the same.
>
> What about setting up some kind of gateway/proxy service, such that
> packets get encrypted at or before the firewall, but after the net nazis
> have a chance to snoop them? Say, a single box which is allowed ssh
> access past the firewall, but which only accepts connections via
> telnet. Internal Security or HR is responsible for that box. Log all
> command lines, log all network traffic to and from that box, but you
> (and your company, which should care about this IMHO if they're that
> paranoid about their data) gain the benefits of encryption outside the
> private net.
>
> Not an ideal solution but then neither is requiring telnet over ssh...
>
--
Thank you,
Trevor Antczak
Network Administrator II
Tulane University Math Dept.
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
(504) 862-3457
